Xun Dong
Submitted For The Degree of Doctor of Philosophy
The University of York Department of Computer Science
Valuable information, such as user authentication credentials and per-sonal sensitive information, can be obtained by exploiting vulnerabilities within the user’s understanding of a system, and particularly a lack of understanding of the user interface.
As the barrier to exploiting system vulnerabilities has increased signific-antly with time, attacking users has rapidly become a more efficient and effective alternative.
To protect users from phishing attacks system designers and security professionals need to understand how users interact with those attacks. In this thesis I present an improved understanding of the interaction and three novel mechanisms to defend against phishing attacks.
Abstract i List of Tables ix List of Figures xi Acknowledgements xiii Author’s Declaration xv 1 Introduction 1
1.1 What is a Phishing Attack? . . . 1
1.2 The Thesis . . . 7
1.2.1 Statement and the Interpretation of the Hypothesis 7 1.2.2 Research Method . . . 9
1.3 Major Contributions . . . 10
1.4 Brief Overview of the Chapters . . . 11
2 Introduction to Social Engineering and Phishing attacks 13 2.1 Overview . . . 13
2.2 Understanding of Attacks . . . 14
2.2.1 Social Engineering/Semantic Attacks . . . 14
2.2.2 Phishing Attacks . . . 17
2.3 Bounded Rationality . . . 24
2.4 Human Factors . . . 25
2.4.1 Timing Attack Techniques . . . 35
2.4.2 Discovering Browsing History . . . 39
2.4.3 Retrieving Personal Information in Web 2.0 . . . . 40
2.5 Technology Countermeasures . . . 42
2.5.1 Novel Indicators and Visual Cues . . . 42
2.5.2 Secure Authentication . . . 44
2.5.3 Detecting Phishing Attacks . . . 47
2.5.4 Phishing Attacks Threat Modelling . . . 50
2.6 Limitations of Current Work . . . 51
3 A Phishing-User Interaction Model 55 3.1 Study Approach . . . 56
3.1.1 Why Decision Making? . . . 56
3.1.2 Attack Incidents . . . 56
3.1.3 Methodology . . . 57
3.2 Overview of the Interaction . . . 61
3.3 The Decision Making Model . . . 63
3.3.1 Graphical Model . . . 70
3.4 False Perceptions and Mismatches . . . 73
3.4.1 How Mismatches Can Be Discovered . . . 73
3.4.2 Why Users Form False Perceptions and Fail to Dis-cover Mismatches . . . 77
3.5 Suggestions and Guidelines . . . 82
3.5.1 Security Tools/Indicators Design . . . 82
3.5.2 Evaluation of User Interfaces . . . 88
3.5.3 User Education . . . 89
3.6 Discussion . . . 90
4 Threat Modelling 93
4.1 Introduction . . . 93
4.2 Overview Of The Method . . . 94
4.3 Asset Identification . . . 96
4.4 Threat Identification . . . 97
4.4.1 Properties Of Users’ Authentication Credentials . . 97
4.4.2 Threat Identification Predicates . . . 101
4.5 Vulnerabilities and Risk Level Analysis . . . 103
4.5.1 User-system Interaction Case . . . 103
4.5.2 Security Policy Case . . . 107
4.5.3 Risk Level Estimate . . . 111
4.6 Case Study One . . . 113
4.6.1 Assets Identification . . . 113
4.6.2 Threat Identification . . . 114
4.6.3 Vulnerabilities And Risk Levels . . . 115
4.7 Case Study Two . . . 120
4.7.1 Assets Identification . . . 120
4.7.2 Threat Identification . . . 121
4.7.3 Vulnerabilities And Risk Levels . . . 122
4.8 Discussion . . . 125
5 User Behaviours Based Phishing Website Detection 135 5.1 Overview . . . 135
5.2 Detection Principle . . . 136
5.2.1 What User Actions Should UBPD Detect? . . . 139
5.3 System Design . . . 141
5.3.1 Overview Of The Detection Work Flow: . . . 142
5.3.2 Creation Of The User Profile: . . . 143
5.3.3 Update Of The User Profile: . . . 148
5.3.4 Phishing Score Calculation: . . . 149
5.3.5 Reuse: . . . 152
5.3.6 Warning Dialogue: . . . 152
5.3.7 Website Equivalence: . . . 154
5.3.8 User Privacy: . . . 156
5.3.9 Implementation: . . . 156
5.4 Evasion And Countermeasures . . . 157
5.4.1 Manipulating User Submitted Data . . . 158
5.4.2 Insertion And Fragmentation . . . 159
5.4.3 Activation Of The Detection Engine . . . 160
5.4.4 Denial Of Service Attack . . . 161
5.5 Evaluation . . . 162
5.5.1 False Negative Rate . . . 163
5.5.2 False Positive Rate . . . 165
5.6 Discussion . . . 168
5.6.1 Why UBPD Is Useful . . . 168
5.6.2 Performance . . . 169
5.6.3 Limitations And Future Work . . . 169
5.7 Conclusion . . . 171
6 Evaluations and Future Work 173 6.1 The Hypothesis . . . 173
6.2 Evaluation . . . 174
6.2.1 Understanding Of The Nature Of Deception In Phishing Attack And The Model Of User Phish-ing Interaction . . . 174
6.2.2 Guidelines For Phishing Attack Countermeasures . 175 6.2.3 Threat Modelling For Web Based User Authentica-tion Systems . . . 175
6.2.4 Phishing Websites Detection Tools . . . 176
6.3 Future Work . . . 177
6.3.1 Refine And Improve The User-Phishing Interaction
Model . . . 177
6.3.2 Study Special User Groups . . . 178
6.3.3 Insider Phishing Attacks . . . 178
6.3.4 Usable Authentication Methods . . . 179
6.3.5 Improving The User Behaviours Based Phishing Website Detection . . . 179
6.3.6 Conclusion . . . 180
A Appendix 181 A.1 Cognitive Walkthrough Example . . . 181
A.1.1 Input . . . 181
A.1.2 Walkthrough And Analysis . . . 183
Bibliography 189
3.1 A Sample of Phishing Websites URLs . . . 75
4.1 Property Relevance Table . . . 100
4.2 Vulnerability Table for User Action and User Decision (ad-apted from [23, 53]) . . . 108
4.3 Vulnerability Table for Security Policy . . . 109
4.4 Risk Level Assessment Table . . . 112
4.5 Authentication Credential Properties for Set A . . . 126
4.6 Authentication Credential Properties for Set B . . . 127
4.7 Authentication Credential Properties for Set C . . . 128
4.8 Threats for Set A . . . 129
4.9 Threats for Set B . . . 129
4.10 Threats for Set C . . . 129
4.11 Authentication Credential Properties for Set A . . . 130
4.12 Authentication Credential Properties for Set B . . . 131
4.13 Authentication Credential Properties for Set C . . . 132
4.14 Threats for Set A . . . 133
4.15 Threats for Set B . . . 133
4.16 Threats for Set C . . . 133
5.1 Characteristics of User Profile . . . 163
5.2 Phishing Websites Characteristics . . . 164
1.1 Phishing Email Screen Shot . . . 5
1.2 Phishing Website Screen Shot . . . 6
2.1 Graph Model For A Man-in-a-middle Phishing Attack From [47] . . . 21
2.2 Phishing Attacks From Start To Finish [6] . . . 22
2.3 C-HIP Model [86] . . . 29
2.4 Context Aware Phishing Attacks Experiment Design [46] . 31 2.5 Three Simulated Toolbars [88] . . . 32
2.6 The Direct Timing Attack: Response Time Difference [10] 37 2.7 The Cross Site Timing Attack: Response Time Difference [10] 38 2.8 Web Wallet . . . 45
3.1 A Social Engineering Attack Incident Retrieved From The Collected Data Set . . . 58
3.2 The Overview of User-Phishing Interaction . . . 62
3.3 The Decision Making Model . . . 71
3.4 The Syntax of a URL . . . 85
4.1 The Life Cycle of Authentication Credentials . . . 104
5.1 Existing Phishing Attack Detection Model . . . 137
5.2 Detection Process Work Flow . . . 141
5.3 User Profile Creation –1 . . . 144 5.4 User Profile Creation –2 . . . 145 5.5 An Example of How the Phishing Score Is Calculated . . . 150 5.6 Phishing Warning Dialogue . . . 153 A.1 Phishing Email Screen Shot . . . 183
The author would like to thank Professor John Andrew Clark and Dr Jeremy Jacob for their kind support and encouragement to complete this thesis including help tidying the English. I would like to thank my wife Ji Xiaoyan, my daughter Dong Yue, and my parents; without their support this thesis would not be possible. I also should like to thank Dr Chen Hao and Tom Haines for discussion about my ideas and also for their kindly suggestions. I wish to thank all the people who have helped me, and especially the Engineering and Physical Sciences Research Council (EPSRC) of the United Kingdom for their sponsorship of the project “Defending the Weakest Link: Intrusion via Social Engineering”(EPSRC Grant EP/D051819/1). I am grateful also to the University of York’s Department of Computer Science.
Xun Dong
This thesis is the work of Xun Dong and was carried out at the University of York, United Kingdom. Work appearing here has appeared in print as follows:
• Modelling User-Phishing Interaction. Xun Dong, John A Clark and Jeremy L Jacob. Human System Interaction, 2008.
• Threat Modelling in User Performed Authentication. Xun Dong, John A Clark and Jeremy Jacob. 10th International Conference on Information and Computer Security, 2008.
• Detection of Phishing Websites by User Behaviours. Xun Dong, Jeremy Jacob and John A Clark. International Multi-conference on Computer Science and Information Technology, 2008.
• Defending the Weakest Link: Detection of Phishing Websites by User Behaviours. Xun Dong, Jeremy Jacob and John A Clark. Tele-communication Systems 45(2-3): 215-226 (2010).
The collection of social engineering attacks examples can also be found on the web site: http://www-users.cs.york.ac.uk/~xundong/se/se_attacks.php
Introduction
This chapter describes what phishing attacks are and why it is so import-ant that we must defend against them effectively. It also explains why by improving our understanding of the users’ psychological models and fundamentals of phishing attacks, more effective countermeasures can be inspired.
1.1 What is a Phishing Attack?
While the Internet has brought unprecedented convenience to many people for managing their finances and investments, it also provides opportunities for conducting fraud on a massive scale with little cost to the fraudsters. Fraudsters can manipulate users instead of hardware/software systems, where barriers to technological compromise have increased significantly. Phishing is one of the most widely practised Internet frauds. It focuses on the theft of sensitive personal information such as passwords
and credit card details. Phishing attacks take two forms:
• attempts to deceive victims to cause them to reveal their secrets by pretending to be trustworthy entities with a real need for such information;
• attempts to obtain secrets by planting malware onto victims’ ma-chines.
The specific malware used in phishing attacks is subject of research by the virus and malware community and is not addressed in this thesis. Phishing attacks that proceed by deceiving users are the research focus of this thesis and the term ‘phishing attack’ will be used to refer to this type of attack.
Despite numerous countermeasure efforts, the scale and sophistication of phishing attacks are still increasing. The number of reported phishing web sites increased 50 percent from January 2008 to January 2010 [73]. During the 2008 world financial crisis phishing attack incidents increased three times compared to the same period in 2007. The real figure could be much higher because many sophisticated phishing attacks (such as context aware phishing attacks, malware based phishing attacks, and real-time man-in-the-middle phishing attacks against one-time passwords [79]) may not all have been captured and reported. Victims of these phishing attacks may never realise they have been attacked, and many of these sophisticated attacks are targeted and small scale, hence it is likely many of them will not have been captured and reported.
Phishing attacks have not only caused significant financial damage to both users and companies/financial organizations, but also have damaged users’ confidence in e–commerce as a whole. According to Gartner analysts, financial losses stemming from phishing attacks rose to more than 3.2 billion USD with 3.6 million victims in 2007 in the US [60], and consumer anxiety about Internet security resulted in a two billion USD loss in e–commerce and banking transactions in 2006 [58]. In the United Kingdom losses from web banking frauds (mostly from phishing) almost doubled to $46m in 2005, from $24m in 2004, while 1 in 20 computer users claimed to have lost out to phishing in 2005 [60]. 1
As the Internet continues to transform how people manage their data, complete their business tasks, and share resources, the value of user authentication credentials to access those services will increase. Phishing attacks may compromise the integrity of such valuable authentication credentials, and must be defended against effectively and efficiently. From the victim’s point of view, a phishing attack can be broken down into three stages:
1. Attacker approach: the approach by attackers on a chosen commu-nication channel;
2. Interaction: interaction with the fraudulent entity which imperson-ates its legitimate counterpart;
3. Exploitation: exploitation of the obtained secret information for financial gain.
1These figures are the latest version author can obtain on 1st June 2010.
A typical phishing attack would engage victims via emails, then lead them to a phishing website. Attackers can either directly use the obtained user authentication credentials to raid victims’ financial assets, or sell them to other criminals. Here I describe a real-life phishing attack to illustrate how phishing works.
The Anti-Phishing Working Group (APWG) [73] and Phishtank [74] collect and archive a large number of reported phishing attacks. An example from Phishtank is an attack against HBOS bank customers on 15th January 2009. It happened during the banking crisis when the HBOS banking group was about to be taken over by Lloyds TSB banking group.
In stage one: the potential victims received an email (shown in Fig-ure 1.1), which claimed to be from HBOS, asking customers to check how the acquisition would affect their bank accounts and update personal information if necessary through the provided hypertext link.
In stage two: if users believed they were interacting with a legitimate email and followed the provided hypertext link, they would give away their authentication credentials to the phishing website (shown in Fig-ure 1.2).
In stage three: the attackers would sell the authentication credentials to others or directly use them to transfer money away from victims’ accounts.
HBOS customers could very easily be deceived by this phishing email. At the time the acquisition was widely reported by public media and the deal was set to be concluded on 19th January 2009. As a result HBOS customers might well have expected such communications. RBS is one of
Figure 1.1: Phishing Email Screen Shot
Figure 1.2: Phishing Website Screen Shot
the banks owned by the HBOS group. In addition, the action suggested in this email might seem both rational and professional. The email header also suggests it is from RBS – the ‘From’ field is [email protected]. The hypertext links in the emails except the one leading to the phishing website all link to the legitimate Lloyds TSB website. The phishing website has been carefully prepared to have the same style and layout as the legitimate Lloyds TSB website, and all the hypertext links are linked to the legitimate website. Only users who carefully examine the domain name of the website would discover they are visiting a phishing website; the digits ‘11’ (one one) look very similar to the letters ‘ll’ at a glance. Users do not know when they will be attacked. To avoid falling victim to this attack, users must either analyse the IP address from which an email is actually sent from or consistently check very carefully the URL strings of the hypertext links.
1.2 The Thesis
1.2.1 Statement and the Interpretation of the Hypothesis
The thesis is:
A more refined understanding of the nature of deception in phishing attacks would facilitate more effective user-centred threat identifica-tion of web based authenticaidentifica-tion systems, the development of coun-termeasures to identified threats, and the production of guidelines for phishing–resilient system designs.
This thesis is an example of multi-disciplinary research where human computer interaction and security meet. Essentially a phishing attack aims to engineer a false perception within a victim’s mind. Having had a false perception constructed in his mind the victim will carry out actions to satisfy the attacker’s goals. To defend against such attacks effectively and efficiently, an understanding of how human users interact with phishing attacks at the user interface and how users perceive the information presented at the interface to form the mental model is vital. Some user studies [21, 77, 26, 50, 46, 88] have investigated human factors, but greater insights are still needed.
An improved understanding of human computer interaction in this do-main can aid both prevention and detection of phishing attacks. In the prevention area, the knowledge can help system designers choose user interfaces that help users form accurate mental models, and hence make appropriate decisions; the knowledge can also be used to analyse an authentication system for the vulnerabilities that attackers might exploit to carry out phishing attacks (existing threat modelling techniques do not address the phishing threat, because they do not consider usability of the system and their human factors). This knowledge could also be applied to design detection systems that are easier for users to understand while being much harder for attackers to bypass.
This thesis will demonstrate that all above claims can be achieved. There are three target audiences for the research reported here: the anti-phishing research community, system designers who design and implement user interfaces for authentication systems, and security practitioners who analyse existing systems and provide security education for end users.
1.2.2 Research Method
Overall the work described in this thesis follows a constructive research approach. The research started with studying literature bodies of: social engineering, phishing attack techniques, human factors in phishing at-tacks, and phishing attacks countermeasures. The author concluded that more research to understand how users make decisions during phishing attack interactions was needed. Users’ decision making plays a vital role in deciding the outcome of a phishing attack. With better understanding in this area, more effective countermeasures could be discovered.
In the next phase of the research cognitive walkthroughs [13] were used to study a large number of social engineering and phishing attack incidents. Drawing on the findings of the walkthoughs, a user-phishing interaction model was constructed.
The knowledge obtained in the first two phases of the research formed the base for the final phase of the research – creating more effective phishing attacks prevention and detection methods. The author proposed a threat modelling method to identify threats that can be realised by attacking users of authentication systems. To demonstrate the merits of the method, it is applied to study two widely used authentication systems. The user-phishing interaction model suggests users, who fall victims to phishing attacks, construct false perceptions in their minds and subsequently carry out actions to release sensitive information to attackers. The false perceptions and subsequent actions are common to most, if not all, phishing attacks. This inspired the creation of a detection technique which ignores how phishing attacks are presented, but rather focuses on users’ actions to release sensitive information to parties to
whom such sensitive information has never been released before. The findings in the first two phases of the research have also influenced the design decisions relating to the usability of this detection system. The detection accuracy (including false positives) of the detection system is also evaluated.
1.3 Major Contributions
The major contributions this thesis makes are:
User Phishing Interaction Model: a psychological model to capture the general process of decision making during user-phishing interac-tion and important factors that can influence the outcome of such decision making. It is useful for designing security tools/indicators, evaluating how well a phishing detection tool can assist users to detect phishing attacks, and designing effective and efficient user education methods.
Threat Modelling methods for Web Authentication Systems: a framework and related methods to identify and assess user-related vulnerabilities within internet based user authentication systems.
User Behaviour Based Phishing Attacks Detection System: a novel phish-ing website detection approach and its prototype.
1.4 Brief Overview of the Chapters
The subsequent chapters of this thesis are as follows:
Chapter 2 reviews existing publications in the fields of understanding human factors in phishing attacks, phishing detection systems, and social engineering/semantic attacks in general. It also identifies gaps in existing work.
Chapter 3 describes a model to capture essential characteristics within user–phishing–attack interactions, and describes the applications of this model.
Chapter 4 introduces a new method to systematically analyse potential vulnerabilities that exist in web-based authentication systems. It also presents two case studies to demonstrate the merit of this method.
Chapter 5 describes the design, implementation and evaluation of UBPD – a phishing website detection system. The detection system is based on past user behaviours and it is much harder to bypass than most current detection systems.
Chapter 6 concludes the thesis and its contributions and also points out areas where future research could be conducted.
Introduction to Social Engineering and
Phishing attacks
This chapter provides an introduction to social engineering and phish-ing attack techniques, and reviews related human factors studies and techniques to counter phishing attacks.
2.1 Overview
The research literature reviewed in this chapter can be classified into the following four categories:
1. understanding of attacks (both social engineering attacks in general and phishing attacks in particular);
2. bounded rationality decision making theory;
3. investigation of human factors in security; and 4. techniques to prevent and detect phishing attacks.
2.2 Understanding of Attacks
2.2.1 Social Engineering/Semantic Attacks
Social engineering (SE) attacks generally achieve their goals by manipulat-ing victims to execute actions against their interests. This term typically applies to trickery or deception for the purpose of information gathering, fraud or gaining computing system access. Phishing attacks are a subset of social engineering attacks.
Kevin Mitnick, who acquired millions of dollars by carrying out social engineering attacks, is arguably the best known social engineering at-tacker. His book "The art of deception: Controlling the Human Element of Security" [65] defined social engineering as follows:
Using influence and persuasion to deceive people by con-vincing them that the attacker is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information, or to persuade them to perform an action item, with or without the use of technology.
There is no commonly accepted definition for the term “ Social
eering”. Mitnick’s definition has considerable appeal1. It highlights that people are the major target of attack, indicates some of the important tools used by attackers, such as influence and persuasion, and summarises the objectives of the attack. But this definition does not addresswhypeople can be so easily deceived, and does not provide a fundamental structure or model for SE attacks. Moreover, the objectives of SE in his description are not comprehensive.
Mitnick’s book has four parts. Part 1 introduces the basic elements of social engineering. Parts 2 and 3 use a lot of “fictional” stories and phone transcripts to show how an attacker can manipulate employees into revealing seemingly innocent pieces of information that are later used (sometimes on an ongoing basis) to extend the confidence trick, gain more access, steal information, “borrow” company resources, and otherwise defraud companies or individuals out of just about anything. The stories are very basic examples of social engineering that are designed to raise awareness. The majority of the tactics described focus on impersonating someone who should have legitimate access to the data, but for one reason or another cannot get to it. The attacker then enlists the aid of a helpful but unsuspecting employee to retrieve the information for them. In many cases, this is a process that involves a number of employees, all of whom provide small bits of seemingly unimportant information that become pieces in a large puzzle. He also analyses the attacks from
1Other definitions: "The art and science of getting people to comply to your wishes" –
Harl "People hacking"[39]; "social engineering is the process of deceiving people into giving confidential, private or privileged information or access to a hacker." –Rusch, Jonathan J. [76]; "social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system." – Sarah Granger[34, 35]
both the attacker’s and victim’s perspective and offers advice on how to protect against similar attacks. In Part 4 Mitnick provides a number of sample security policies and procedures, including data classification categories, verification and authentication procedures, guidelines for awareness training, methods of identifying social engineering attacks, warning signs, and flowcharts for responding to requests for information or action. The majority of policies and procedures are not novel and are largely based on the ideas suggested by Charles Cresson Wood [15]. Many publications [33, 34, 35, 36, 59] on SE have summarised the tech-niques SE uses and the media through which SE is conducted. A few of them have tried to classify SE attacks. One of the best known clas-sifications of SE is given by Sarah Granger [34, 35]. It partitions social engineering into the following five categories:
1. Social engineering by phone. (Telephone communication); 2. Dumpster diving. (Office waste);
3. Online social engineering. (The Internet); 4. Persuasion. (Face to face communication); and 5. Reverse social engineering
It classifies SE based on the techniques rather than the nature of the attacks. The first four categories are based on the communication medium used to convey SE. (The communication medium is given in parentheses above). The last category is a special case of SE using scenarios where
the victim is the party who initiates the communication. In such a case the victim will be much easier to deceive, because they initiated the communication and they will likely trust the attacker more. Others [33, 59] have chosen to classify SE by targets of attacks, or by tools or techniques used by the attacks.
All these classifications are useful for introducing SE. However, they do not reveal the nature of SE nor provide any insights of why SE works. We might expect those existing classifications to fail to cover new attacks as SE evolves, especially when new SE attacks use different communication media, or are different in appearance. For example, the USB SE attacks [20] do not fit into Granger’s classification. Most importantly such classifications cannot directly be applied to facilitate proactive SE detection and guide the design of SE resilient systems. Existing classifications view social engineering from the attacker’s point of view. They are useful to define what SE is, and serve as a tutorial about how SE attacks are executed. But they are less useful when it comes to help identify SE attacks, improve the security of the system at the design stage, and contribute to automated detection solutions.
2.2.2 Phishing Attacks
Phishing is a special type of social engineering attack. In his phishing attacks guides [70, 69] Ollmann has described the anatomy of phishing attacks and surveyed phishing attack prevention techniques. He described phishing attack threats from the following three aspects:
• social engineering factors;
• how phishing messages are delivered to victims via email, web, IRC, instant messenger, and trojan horses;
• techniques used in phishing attacks such as man-in-the-middle attacks, URL Obfuscation, cross site scripting, preset session attacks, etc.
In his report he also provides detailed advice on how to use existing technologies to counter phishing threats from both client and server sides as well as on what organisations can do to prevent them. He identifies the following countermeasures that can be applied on the client side:
1. desktop protection technologies;
2. utilisation of appropriate, less sophisticated communication settings; 3. user application-level monitoring solutions;
4. locking-down browser capabilities;
5. digital signing and validation of email; and 6. improving general security awareness.
He also identifies the following countermeasures that can be applied on the server side:
1. improving customer awareness;
2. providing validation information for official communications;
3. ensuring that Internet web applications are securely developed and doesn’t include easily exploitable attack vectors;
4. using strong token-based authentication systems; and 5. keeping naming systems simple and understandable.
Finally he also suggests businesses and ISP’s should use technologies to protect against phishing attacks at the enterprise-level. The following enterprise solutions are suggested:
1. automatic validation of sending email server addresses; 2. digital signing of email services;
3. monitoring of corporate domains and notification of “similar” re-gistrations;
4. perimeter or gateway protection agents; and 5. third-party managed services.
Together with the counter-measure mechanisms on both client and server sides, phishing attacks can be defended effectively at multiple levels, giving better protection to users.
Watson et al. have carried out a study to observe real phishing attacks in the wild by using Honeynet [84]. This study focuses on how attackers build, use and maintain their infrastructure of hacked systems. The report
is based on data collected by the German Honeynet Project and the UK Honeynet Project. They do not cover all possible phishing methods or techniques, focussing instead on describing the follow three techniques observed:
1. phishing through compromised web servers; 2. phishing through port redirection; and 3. phishing using botnets.
They also briefly describe how the observed attacks transfer money they have stolen from victims’ bank accounts. Their work provides some insights into how phishing attacks are implemented in reality.
To formally understand the phishing attack from the technical point of view, Jacobsson has introduced a method to describe a variety of phishing attacks in a uniform and compact manner via a graphical model [47]. He has also presented an overview of potential system vulnerabilities and corresponding defence mechanisms.
In such a graph, there are two types of vertices; those cor-responding to access to some information; and those corres-ponding to access to some resource. Actions are represented as edges in the graph. Two vertices are connected by an edge if there is an action that would allow an adversary with ac-cess corresponding to one of the vertices to establish acac-cess corresponding to the other of the vertices. Some set of nodes correspond to possible starting states of attackers, where the state contains all information available to the attacker. (This
2.2 Understanding of Attacks for which a user in the attacked domain is registered as the administrative contact, and where passwords are emailed to administrators claiming to have forgotten the passwords, andv5to access
to the account of such a site. There is an edgee12corresponding to the action of finding out credit
card numbers associated with a person with a given name. Edgee23corresponds to the action
of using the correct credit card number to authenticate to the site, and edgee345to requesting a
forgotten password to be emailed. Note that bothv3andv5may be considered target nodes.
v1 v2 v3 v4 v5 e12 e23 e345
Figure 4: A simplified graphical representation of a man-in-the-middle attack on a domain name server. A detailed representation would also have labels on edges corresponding to effort, proba-bility, and other costs.
Remark: Another common approach to deal with forgotten passwords is to rely on so-called security questions. This is, for example, used at PayPal, where the four possible questions relate to the mother’s maiden name; city of birth; last four digits of social security number; and last four digits of drivers license number. The mother’s maiden name of a person can be obtained from publicly available documents and services, using a set of clever queries. For example, if a woman has one name when moving to a given address, and another name when moving out, then chances are that the first name is her maiden name, and it would be clear what the mother’s maiden name of any of her children is. Consecutive records linking names to addresses or other stable pieces of information can be obtained from records of memberships to organizations, mortgage documents, voters registration records, marriage licences, public litigation files, and other publicly available services, such as [7].. Such records may also be used to determine with a good likelihood the city of birth of a person: by knowing the names of his or her parents, and determining where they lived at the time of the victim’s birth. A person’s social security number can often be obtained from records of types similar to those from which mothers maiden names can be derived. In addition, if a user enters the answers to any of these questions at a rogue site (for the same purposes: password security questions) then this site has immediate access to the information.
9
Figure 2.1: Graph Model For A Man-in-a-middle Phishing Attack From [47]
may simply consist of publicly available information.) One node corresponds to access to some resource of the attacker’s choosing, call this the target node. For an attack to be suc-cessful, there needs to be a path from a starting state to the target node. Figure 2.1 illustrates the graphical model for a man-in-a-middle phishing attack.
An explanation [47] for the model illustrated in Figure 2.1 is given be-low:
vertex v1 corresponds to knowledge of the name of the administrative contact of a domain to be attacked. Vertex v2 corresponds to knowledge of the appropriate credit card number, and vertex v3 to access to the account. Finally, v4 corresponds to knowledge of a service for which a user in the attacked domain is registered as the administrative contact, and where passwords are emailed to administrators claiming to have forgotten the passwords, and v5 to access to the ac-count of such a site. There is an edge e12 corresponding to the action of finding out credit card numbers associated with a person with a given name. Edge e23 corresponds to the action
Chapter 2 Introduction to Social Engineering and Phishing attacks02/#%33&,/7/&!0()3().'!44!#+4HEPHISHINGPROCESSISEASILYREPRESENTEDINAmOWCHARTSHOWINGTHEINPUTREQUIREDFROMDIF FERENTPLAYERSATVARIOUSSTAGES%ACHSTEPINVOLVESSPECIALIZEDSKILLSFROMOTHERMEMBERSOFTHE INTERNETCOMMUNITY 0LANNING 4HEPLANNINGSTAGEREQUIRESINFORMATIONTOBECOLLECTEDSUCHASTARGETEnMAILLISTSANDSCAM PAGETEMPLATESANDREQUIRESKNOWLEDGEFROMCONSUMERSOFPHISHINGCREDENTIALS $ETAILEDINFORMATIONSUCHASTARGETEMAILLISTSANDSCAMPAGETEMPLATESNEEDSTOBECOLLECT ED4HEPHISHERDOESNOTNEEDTOBEADEPTATWEBDESIGNBUTINSTEADCANSIMPLYOBTAINASCAM PAGEALREADYDESIGNEDORUSED3CAMPAGESANDEnMAILTEMPLATESAREWIDELYAVAILABLEWITHIN THECOMMUNITY)FMOREADVANCEDTEMPLATETECHNIQUESAREPREFERREDSKILLEDWEBDESIGNERS WHOADVERTISEONKNOWNFRAUDRELATEDFORUMSAREAVAILABLEFORHIRE 4HETRADEOFCOMPROMISEDCOMPUTERSALSOKNOWNAS2OOTSISATHRIVINGECONOMY#OMPUTERS AREEASILYCOMPROMISEDTHROUGHVARIOUSPUBLICEXPLOITSAND4ROJANSUSINGSECURITYHOLESIN NETWORKSOFTWARE4HESECURITYCOMMUNITYREADILYPROVIDESPROOFOFCONCEPTEXPLOITSTHATCAN BEUSEDTOGAINACCESSTOVULNERABLECOMPUTERSSOTHEREISACONSTANTSUPPLYOFCOMPROMISED HOSTS0HISHERSDONOTNEEDTHETECHNICALKNOWLEDGEOFHOWTOCOMPROMISEHOSTSINSTEADTHEY CANPURCHASEACCESSTOCOMPROMISEDHOSTSFROMHACKERS 3ETUP 4HENEXTSTEPINVOLVESENSURINGTHATTHEPROPERSCAMPAGEINFRASTRUCTUREEXISTSONTHECOM PROMISEDHOSTSBEINGCONSIDEREDFORTHEPHISHINGATTACK
Figure 2.2: Phishing Attacks From Start To Finish [6]
of using the correct credit card number to authenticate to the site, and edge e345 to requesting a forgotten password to be emailed. Note that both v3 and v5 may be considered target nodes
Although the model can be consistently applied to describe phishing attacks, it offers little value in helping understand why phishing attacks work and how to prevent and detect them.
Abad has studied the flow of phishing attacks from an economics point of view[6]. He derived the reported results by analysing 3,900,000 phishing
mails and 220,000 messages. The data was collected from 13 key phishing-related chat rooms and 48,000 users which were spread across six chat networks and 4,400 compromised hosts used in botnets. He concludes that phishing attacks from the attackers’ point of view have five stages: planning, setup, attack, collection, and cashing. (The graphical model is illustrated in Figure 2.2.) He also discovered that phishing attacks are organized and well co-ordinated with participants having specific roles to play. These participants serve each other by exchanging services or information for cash and their behaviours follow the laws of supply and demand. Using the model presented by this study, one can clearly understand the sophistication of phishing attacks. The model could also be useful for identifying points where intervention could be made to prevent phishing attacks from succeeding.
In-Session Phishing Attacks
The phishing attacks which have been described so far all need to actively engage users via a communication channel. In–session phishing [54], a more recently reported type of attack, uses a more passive mode, and yet is still very effective.
This type of attack exploits user’s opening of multiple web pages at the same time. It can succeed if the users have logged into one of the websites which the attacker would like to impersonate and have opened a web page from a compromised website. On the compromised website the attacker plants malware to identify which website the victim user is currently logged on to, then the malware presents a dialogue box, which asks the user to retype their user name and password because the session
has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the targeted website, he/she is unlikely to suspect this pop-up is fraudulent and thus is likely to provide the requested details.
Identifying websites to which a user is currently logged onto can be more difficult to achieve. Jeremiah Grossman et al. have described a method to detect the stage of authentication by loading images that are only accessible to logged-in users [19]. There are other methods that can achieve this by exploiting vulnerabilities within web browsers. However, those methods are not general. In Section 2.4.1, a general method is described.
2.3 Bounded Rationality
Phishing attacks achieve their goals when users have been deceived to carry out certain actions. It is certainly against users’ interests to satisfy attackers’ goals. However, they still decide to do so. If human behaviour can be understood as a purposeful attempt to achieve well-being, then why would phishing attack victims make such decisions?
Bounded rationality [80] is the decision making theory proposed by Herbert Alexander Simon. Simon suggested that decision-makers arrive at their decisions by rationally applying the information and resources that are easily available to them, with the consequence that satisfactory rather than optimal decisions result.
Bounded rationality theory has great value for understanding why users make certain decisions during their interactions with phishing attacks. It recognises that in practice rational decisions are often impossible and users’ rationality is limited by information available to them. In phsihing attacks, rationality of users could be strongly limited by the information presented to them at the user interface. It also recognises that the time available to decision makers and their own cognitive ability are limiting factors. In Simon’s theory, the cost of gathering and processing the in-formation would also greatly influence the rationality of a decision one made. It would be interesting to apply the principles of bounded rational-ity to understand user victims’ decision making during interactions with phishing attacks.
2.4 Human Factors
In phishing attacks human users are the targets of attack. To be able to provide them with appropriate warning messages and design secure usable interfaces, understanding why they fall victim and how they behave in cyberspace is essential.
Dhamija et al. have investigated why users fall victim to phishing attacks by carrying out a controlled phishing attack user study [21]. In this study 20 web sites were presented in no particular order to 22 participants. The participants were asked to determine which websites they visited were fraudulent, and to provide rationales. They identified three major causes for victimhood:
1. a lack of understanding of how computer systems work. Many users lack underlying knowledge of how operating systems, applications, email and the web work and how to distinguish among these; 2. a lack of attention to security indicators or the absence of security
indicators; and
3. the high quality visual deception practised by the phishers.
The highly controlled nature of this study may lead to biased conclusions or failure to identify important factors in why phishing works. In the experiment, users’ attention is directed to making a decision regarding the authenticity of the web-sites. However, in a real-world setting, users would have a range of tasks they wish to perform and establishing authenticity of any accessed websites might not be a primary concern. Schechter et al. evaluated website authentication measures that are de-signed to protect users from phishing attacks [77]. 67 bank customers were asked to conduct common online banking tasks. Each time they logged in, they were presented with increasingly alarming clues that their connection was insecure. First, HTTPS indicators were removed; second, the participant’s site-authentication image (the customer-selected image that many websites now expect their users to verify before entering their passwords) were removed; finally, the bank’s password-entry page was replaced with a warning page. After each clue, researchers then checked whether participants entered their passwords or withheld them. The researchers also investigated how a study’s design affects participant behaviour: they asked some participants to play specially created user roles and others to use their own accounts and passwords. Their major findings are:
1. users will enter their passwords even when HTTPS indicators are absent;
2. users will enter their passwords even if site authentication images are absent;
3. site-authentication images may cause users to disregard other im-portant security indicators; and
4. role-playing participants behaved significantly less securely than those using their own passwords.
Again because of the experiment conditions, there could be an overestim-ate of the ineffectiveness of the security indicators.
Egelman et al. examine the effectiveness of web browsers’ phishing warnings and examine if, how, and why they fail users [26]. In their study they used a spear phishing attack to expose users to browser warnings. 97% of sixty participants fell for at least one of the phishing messages sent to them; 79% of participants paid attention to an active warning, in contrast only one participant noticed a passive warning. Egelman et al. also applied the C-HIP model [86] (Figure 2.3) from the warning sciences to analyse how users perceive warning messages and suggest:
1. interrupting the primary task: phishing indicators need to be de-signed to interrupt the user’s task;
2. providing clear choices: phishing indicators need to provide the user with clear options on how to proceed, rather than simply
displaying a block of text;
3. failing safely: phishing indicators must be designed such that one can only proceed to the phishing website after reading the warning message;
4. preventing habituation: phishing indicators need to be distinguish-able from less serious warnings and used only when there is a clear danger; and
5. altering the phishing website: phishing indicators need to distort the look and feel of the website such that the user does not place trust in it.
The suggestions made by Egelman et al. are very useful indeed, however, their claim on spear phishing could be made more convincing if their study included an extended range of speared phishing attacks. Otherwise, one could also argue that the results exhibit biases due to the small number of attack incidents used or the sophistication of the attacks used in the study.
Jakobsson et al. have studied what makes phishing emails and web pages appear authentic [50]. Elsewhere Jakobsson summarised comprehensively what typical computer users are able to detect when they are carefully watching for signs of phishing [48]. The findings are are:
1. spelling and design matter;
2. third party endorsements depend on brand recognition;
The SiteKey system was introduced in 2005 to simplify au-thentication by not forcing the user to install additional soft-ware. SiteKey uses a system of visual authentication images that are selected by the user at the time of enrollment. When the user enters his or her username, the image is displayed. If the user recognizes the image as the original shared secret, it is safe to enter the password [2]. However, a recent study found that 92% of participants still logged in to the website using their own credentials when the correct image was not present [19]. However, this sample may have been drawn from a biased population since others refused to participate, citing privacy and security concerns.
Some argue that the use ofextended validation(EV) certifi-cates may help users detect phishing websites. An EV cer-tificate differs from a standard SSL cercer-tificate because the website owner must undergo background checks. A regular certificate only tells a user that the certificate was granted by a particular issuing authority, whereas an EV certificate also says that it belongs to a legally recognized company [4]. The newest version of Microsoft’s Internet Explorer sup-ports EV certificates, coloring the URL bar green and dis-playing the name of the company. However, a recent study found that EV certificates did not make users less likely to fall for phishing attacks. The study also found that after reading a help file, users were less suspicious of fraudulent websites that did not yield warning indicators [13].
Many web browser extensions for phishing detection cur-rently exist. Unfortunately, a recent study on anti-phishing toolbar accuracy found that these tools fail to identify a sub-stantial proportion of phishing websites [26]. A 2006 study by Wu et al. found that the usability of these tools is also lacking because many of them use passive indicators. Many users fail to notice the indicators, while others often do not trust them because they think the sites look trustworthy [23].
A MODEL FOR WARNINGS
In this paper we will analyze our user study results using a model from the warnings sciences. Computer scientists can benefit from studies in this field. Many studies have ex-amined “hazard matching” and “arousal strength.” Hazard matching is defined as accurately using warning messages to convey risks—if a warning does not adequately convey risk, the user may not take heed of the warning. Arousal strength is defined as the perceived urgency of the warning [12]. To date, few studies have been conducted to evaluate the arousal strength of software warnings. In one study of warn-ing messages used in Microsoft Windows, researchers found that using different combinations of icons and text greatly af-fected participants’ risk perceptions. Participants were shown a series of dialog boxes with differing text and icons, and were instructed to estimate the severity of the warnings us-ing a 10-point Likert scale. The choice of icons and words greatly affected how each participant ranked the severity. The researchers also examined the extent to which individu-als will continue to pay attention to a warning after seeing it multiple times (“habituation”). They found that users dis-missed the warnings without reading them after they had seen them multiple times. This behavior continued even
Environmental Stimuli Source Channel Delivery Attention Switch Attention Maintenance Comprehension Memory Attitudes Beliefs Motivation Behavior Receiver
Figure 4. Diagram of the different phases of the C-HIP model [21].
when using a similar but different warning in a different sit-uation. The only way of recapturing the user’s attention was to increase the arousal strength of the warning [1].
Wogalter proposed the Communication-Human Information Processing Model (C-HIP) for structuring warning research, as shown in Figure 4. He suggests that C-HIP be used to identify reasons that a particular warning is ineffective [21]. The C-HIP model begins with a source delivering a warning through a channel to a receiver, who receives it along with other environmental stimuli that may distract from the mes-sage. The receiver goes through five information processing steps, which ultimately determine whether the warning re-sults in any change in behavior.
We can ask the following questions to examine the different steps in Wogalter’s model [5]:
1. Attention Switch and Maintenance— Do users notice the indicators?
2. Comprehension/Memory— Do users know what the indi-cators mean?
3. Comprehension/Memory— Do users know what they are supposed to do when they see the indicators?
4. Attitudes/Beliefs— Do they believe the indicators? 5. Motivation— Are they motivated to take the recommended
actions?
6. Behavior— Will they actually perform those actions? 7. Environmental Stimuli— How do the indicators interact
with other indicators and other stimuli?
Observing users as they complete a task while thinking aloud provides insights into most of the above questions. Alterna-tively, users can complete tasks and then fill out post-task questionnaires or participate in interviews, although these require users to remember why they did something and re-port it afterwards, and users sometimes say what they think
CHI 2008 Proceedings · Am I Safe April 5-10, 2008 · Florence, Italy
Figure 2.3: C-HIP Model [86]
3. too much emphasis on security can backfire; 4. people look at URLs;
5. people judge relevance before authenticity;
6. emails are very phishy, web pages are a bit phishy, and phone calls are not;
7. padlock icons have limited direct effects; and 8. independent communication channels create trust.
These outcomes provide some comfort and yet are a source of considerable worry, highlighting various opportunities and means of attack. That people look at URLs is a good thing. However, the reason why users look at URLs is not stated, and the degree of attention they pay to them is unclear. The padlock would generally be viewed by many as a significant security mechanism. Not by users, it would appear. The outcome related to media/channel highlights the fact that phishers make highly effective channel choices.
Jagatic et al. have shown how publicly available personal information from social networks (such as Friendster, Myspace, Facebook, Orkut, and Linkedin) can be used to launch effective context aware phishing attacks [46]. In their studies they first determine a victim’s social networks and then masquerade as one of their social contacts to create an email to the victim (using email header spoofing techniques). Figure 2.4 illustrates the details of the set up of the study. Their study has shown that not only is
Figure 1: Illustration of phishing experiment: 1. Blogging, social network, and other public data is harvested; 2. data is correlated and stored in a relational database; 3. heuristics are used to craft “spoofed” email message by Eve “as Alice” to Bob (a friend); 4. message is sent to Bob; 5. Bob follows the link contained within the email and is sent to an unchecked redirect; 6. Bob is sent to attackerwhuffo.comsite; 7. Bob is prompted for his University credentials; 8. Bob’s credentials are verified with the University authenticator; 9a. Bob is successfully phished; 9b. Bob is not phished in this session; he could try again.
with 70% of the successful authentications occurring in that time frame. This supports the importance of rapidtakedown, the process of causing offending phishing sites to become non-operative, whether by legal means (through the ISP of the phishing site) or by means of denial of service attacks — both prominently used techniques. Figure 2B reports the distributions of the number of times that victims authenticated or refreshed their credentials. The reason for repeated visits to the simulated phisher site is that, as shown in Figure 1, victims who successfully authenticated were shown a fake message indicating that the server was overloaded and asking them to try again later. A real phisher would not need to do this of course, but we wanted to count how many victims would catch on or continue to be deceived; those who repeatedly authenticate give us a lower bound on the number of victims who continue to be deceived. The log-log plots in Figure 2B highlight distributions with long tails — some users visited the site (and disclosed their passwords) over 80 times. This in spite of many ways to detect the phishing attack, e.g., mouse-over, host name lookup,
4
Figure 2.4: Context Aware Phishing Attacks Experiment Design [46]
it very easy to exploit the social network data available on the Internet, but it also increases the effectiveness of the attack significantly. In their experiment, the attacks that took advantage of social networks were four times as likely to succeed.
Below is an explanation of Figure 2.4 (directly taken from [46]):
1. Blogging, social network, and other public data is harves-ted; 2. data is correlated and stored in a relational database; 3. heuristics are used to craft “spoofed” email message by Eve “as Alice” to Bob (a friend); 4. message is sent to Bob; 5. Bob follows the link contained within the email and is sent to an unchecked redirect; 6. Bob is sent to attacker whuffo.com site;
At least two organizations have initiated phishing attacks against their own members, with the goal of teaching them to protect themselves. [ 3] The US Military Academy at West Point found that more than 80% of its cadets succumbed to a phishing attack by a fictional colonel. The State of New York mounted two attacks on its 10,000 employees; 15% were spoofed by the first attack, but only 8% by the second, which came three months later.
Besides the security toolbars we tested, there are other anti-phishing solutions that help users to differentiate the legitimate web sites from the phishing ones. Dynamic Security Skins [ 6] proposes to use a randomly generated visual hash to customize the browser window or web form elements to indicate the successfully authenticated sites. PassMark [ 18] includes a personalized image in a web page to indicate that the user has set up an account with the site. Google Safe Browsing for Firefox [ 12] pops up an alert when a user is on a web page that Google determines to be illegitimate. The content of the phishing page is also darkened to make it less convincing. Internet Explorer 7 [ 19] protects against phishing with a dynamically-updated black list of known phishing web sites, a client-side list of acceptable sites, and a set of heuristics. It blocks the user's activity with a detected phishing site. IE7 also has stricter enforcement of SSL certificates, in that it will not display websites with certificates that are invalid. A comprehensive survey of anti-phishing solutions can be found in [ 8].
STUDY DESIGN
To simplify the study design, we grouped the features of the five existing toolbars into three simulated toolbars (figure 2), based on the three types of information that existing security toolbars display:
The Neutral Information toolbar shows website information, such as domain name, hostname, registration date and hosting country, as SpoofStick and Netcraft Toolbar do. With this information, users must use their own judgment and experience to decide whether a site is legitimate or phishing.
The SSL-Verification toolbar differentiates sites that use SSL from those that do not. SSL sites are displayed with the site’s logo and CA; a general warning message is displayed for other sites. This approach that imitates Trustbar seeks to make the user suspicious when a non-SSL page asks for sensitive information such as a password or credit card number.
The System-Decision toolbar displays a red light and the message “Potential Fraudulent Site” if it decides that a web page is actually a phishing attack, an approach that is similar in design to both eBay Account Guard and SpoofGuard. This display is easy for a user to interpret, but it requires the user to trust the toolbar’s decision process, which is generally hidden from the user.
Study Implementation
In order to simulate attacks against users, we needed to completely control the display of the toolbars and other security indicators. Users in the study interacted with a simulated Internet Explorer built inside an HTML application running in full screen mode (figure 3). Different HTML frames displayed different browser components, including the security toolbars. The locations and sizes of the toolbars were consistent with the existing toolbars that they are based on. The Neutral-Information toolbar and the System-Decision toolbar were located below the address bar and above the main browsing window. The SSL-Verification toolbar was located below the title bar and above the menu bar. The address bar took the FireFox approach by using the yellow background and a lock icon to indicate SSL connections. The status bar also displayed a lock icon for SSL connections.
Our study simulated ideal phishing attacks whose content is a perfect copy of the actual website. This is realistic, since an attacker might not bother mirroring the entire site, but might simply act as a man-in-the-middle between the user and the real site. The attackers would pass the real web pages to the user and the user’s submitted data to the real site and in the meantime capture the user’s sensitive data during the online transaction. As such, the main frame in our browser always connected to the real website, Neutral-Information toolbar
SSL-Verification toolbar
System-Decision toolbar
Figure 2. The three simulated toolbars tested in the study
Figure 3. Browser simulation using HTML frames Address bar frame Security toolbar frame
Main frame Status bar frame
Figure 2.5: Three Simulated Toolbars [88]
7. Bob is prompted for his University credentials; 8. Bob’s credentials are verified with the University authenticator; 9a. Bob is successfully phished; 9b. Bob is not phished in this session; he could try again.
Wu et al. have discovered by conducting two user studies that the se-curity tools such as sese-curity toolbars are not effective enough to protect people from falling victim to phishing attacks [88]. Features of five tool-bars are grouped into three simulated tooltool-bars. The three simulated toolbars shown in Figure 2.5 are: the Neutral Information toolbar, the SSL-Verification toolbar, and the System-Decision toolbar.
In the user study researchers set up dummy accounts in the name of "John Smith" at various legitimate e-commerce websites and then asked the participants to protect those passwords. The participants played the
role of John Smith’s personal assistant and were given a printout of John’s profile, including his fictitious personal and financial information and a list of his user names and passwords. The task was to process 20 email messages, most of which were requests by John to handle a forwarded message from an e-commerce site. Each message contained a link for the user to click. Some messages are carefully prepared phishing attacks. The researchers then study the participants’ response when using various toolbars. Most participants fall victim to the phishing attacks. Based on their findings, the authors suggest that:
1. the alert should always appear at the right time with the right warning message;
2. user intentions should be respected, and if users must make security-critical decisions they should be made consciously; and
3. and it is best to integrate security concerns into the critical path of their tasks so that users must address them.
The user study set up by Wu et al. may lead the users to behave less securely, because the account used is artificial and there are no negative consequences for the participants. Under those conditions users may behave differently than they normally do with their own accounts. Florencio et al. have carried out a large scale study of password use and password reuse habits [28]. Their study involves half million users over a three month period. Software on the client machine recorded the password usage, strength, and use frequency, etc. They estimated the average number of distinct passwords of a user was 7, and on average
each password is used in 6 different websites. Weak passwords are reused more often than strong passwords. A user on average has over 25 password accounts. Users do use stronger passwords for more important accounts. They also discovered that even as users perceive the need, or are forced, to use stronger passwords, it appears that they use longer lower-case passwords and use upper case and special characters hardly at all. Users appear to forget passwords and perform other administrative functions (reset or change password) a lot. For example, Yahoo password change operations occur 15% as frequently as Yahoo sign-in operations. Downs et al. conducted interviews with 20 non-expert computer users to reveal their strategies and understand their decisions when encountering possibly suspicious emails [24]. They have found:
• average users are more aware of the threats to computers and con-fidential information caused by malware than by social engineering attacks;
• Users do pay attention to security indicators but lack sufficient knowledge to correctly interpret them. Interpretation of URL strings is a good example.
• Most user strategies to decide the trustworthiness of email are based on the content of the email. Again this shows users’ awareness of threats but lack of knowledge to make correct judgements given current user interface design.
For many years malware such as viruses received a great deal of attention. Furthermore many users may be familiar with (automated) updates of
anti-malware software. We should not be too surprised at the first out-come above. The underlying cause for the second point may be impossible to fix on a wide scale. The final outcome confirms the Jakobsson’s view that relevance is more important than authenticity.
Wright et al. tested and extended the Model of Deception Detection [37] by Grazioli [87]2. The researchers aimed to understand how users determ-ine whether the communications they receive are legitimate or not, and claimed that users’ web experience and propensity to trust are the two most influential factors in determining whether users will successfully detect deception. In their user study, carefully prepared phishing email messages were sent to participants, and follow up interviews were also conducted to gain insights into the why participants successfully detected deceptions. The participants of this user study were all university stu-dents, and the majority of them were well educated in terms of technical knowledge of the Internet. The characteristics of the participants were certainly different from those of the general public. Hence, the findings of this study may not generalise. The model of deception detection will be further discussed in chapter 3.
2.4.1 Timing Attack Techniques
Personalised phishing attacks/spear phishing attacks have much better chances of obtaining victims’ sensitive information. To launch such attacks the attacker must first obtain any necessary information such as
2Wright’s work was published after the completion and publication of the work that
form the basis of Chapter 3 of this thesis (The author was unaware of the work of Grazioli.)
victims’ names, with whom they have bank account, etc. Bortz et al. have described two timing–attack methods which can be used to obtain private information and have discussed methods for writing web application code that resists these attacks [10].
They call the first method the direct timing attack. An attacker can launch this attack directly from their own machine by analysing the response time from a website. It can expose information such as the validity of a user name at a secured site. In the case of proving validity of a user name at a secured website, they demonstrated the attack method by directly communicating with the web server and carefully timing the response. They use both valid and invalid user names to login to the web server, and compare the time the web server takes to respond to login requests. As shown in Figure 2.6 there is a significant difference between the response times.
The second method is called the cross-site timing attack, which enables a malicious website to obtain information by sending data from a user’s computer. The direct attacks are limited to discovery of static information, it can not reveal private information such as a user’s current status on Internet e.g. which websites he/she is logged into. In reality, if a user logs into a website, there will be some cache mechanism enabled on the server side or else a cookie will likely be set up on the client side to improve the response time. So if one can make requests as another user, whether a user has logged into a certain website or not by analysing the response time. This attack method is only possible when a user victim is visiting a malicious website. The malicious website contains JavaScript code to make requests to target websites and time the response. Figure 2.7 shows that there are significant timing differences if victims are logged on to the target websites. Using this method, a malicious website, in some
